[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <534448CF.9090507@orca-net.de>
Date: Tue, 08 Apr 2014 21:06:55 +0200
From: Tim Schütt <schuett@...a-net.de>
To: fulldisclosure@...lists.org
Subject: Re: [FD] heartbleed OpenSSL bug CVE-2014-0160
Nope, works also on other protocols like IMAPS.
Am 08.04.2014 15:30, schrieb Chris Schmidt:
> The bug is in the TLS implementation in OpenSSL, you will only see it on https
>
> Sent from my iPhone
>
>> On Apr 8, 2014, at 4:43 AM, "Nik Mitev" <nik@...ev.net> wrote:
>>
>> I used the tool Kirils linked (http://possible.lv/tools/hb/) and my
>> unpatched servers running a Tor node or an Openvpn server returned
>> correct (old) version of openssl but not vulnerable.
>> Is it the bug or the tool that seems to be limited to https I wonder?
>>
>> Patched now so can't test with this tool...
>>
>> -----Original Message-----
>> From: Fraser Scott <fraser.scott@...il.com>
>> To: fulldisclosure@...lists.org
>> Subject: Re: [FD] heartbleed OpenSSL bug CVE-2014-0160
>> Date: Tue, 8 Apr 2014 10:24:02 +0100
>>
>> This seems to be the best test so far:
>>
>> http://s3.jspenguin.org/ssltest.py
>>
>> Other tests false-positive on patched versions from what I can see.
>>
>>
>>> On 8 April 2014 01:10, Kirils Solovjovs <kirils.solovjovs@...ils.com> wrote:
>>>
>>> We are doomed.
>>>
>>> Description: http://www.openssl.org/news/vulnerabilities.html
>>> Article dedicated to the bug: http://heartbleed.com/
>>> Tool to check if TLS heartbeat extension is supported:
>>> http://possible.lv/tools/hb/
>>>
>>> A missing bounds check in the handling of the TLS heartbeat extension
>>> can be used to reveal up to 64kB of memory to a connected client or server.
>>>
>>> 1.0.1[ abcdef] affected.
>>>
>>>
>>> P.S. Happy Monday!
>>>
>>> _______________________________________________
>>> Sent through the Full Disclosure mailing list
>>> http://nmap.org/mailman/listinfo/fulldisclosure
>>> Web Archives & RSS: http://seclists.org/fulldisclosure/
>> _______________________________________________
>> Sent through the Full Disclosure mailing list
>> http://nmap.org/mailman/listinfo/fulldisclosure
>> Web Archives & RSS: http://seclists.org/fulldisclosure/
>>
>> _______________________________________________
>> Sent through the Full Disclosure mailing list
>> http://nmap.org/mailman/listinfo/fulldisclosure
>> Web Archives & RSS: http://seclists.org/fulldisclosure/
> _______________________________________________
> Sent through the Full Disclosure mailing list
> http://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists